WordPress Plugin Vulnerabilities

Tourfic < 2.15.4 - Authenticated (Admin+) Arbitrary File Upload

Description

The Tourfic – Ultimate Hotel Booking, Travel Booking & Car Rental WordPress Plugin | WooCommerce Booking plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in all versions up to, and including, 2.15.3. This makes it possible for authenticated attackers, with Administrator-level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.

Affects Plugins

Plugin icon
tourfic
Fixed in 2.15.4

References

CVE
CVE-2025-24650
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/ec2c0542-b5ae-4595-b712-ddcd27d21183

Miscellaneous

Original Researcher
I8BL
Verified
No
WPVDB ID
4fadb58b-700a-4929-ad64-38d4e34fc233

Timeline

Publicly Published
2025-01-24 (about 1 year ago)
Added
2025-01-28 (about 1 year ago)
Last Updated
2025-01-28 (about 1 year ago)

Other

Published
Title
Published
2023-11-14
Title
Slider Revolution < 6.6.16 - Authenticated (Author+) Arbitrary File Upload
Published
2015-03-25
Title
NextGEN Gallery < 2.0.77.3 - CSRF & Arbitrary File Upload
Published
2014-08-01
Title
WP Symposium < 11.12.24 - Remote File Upload Code Execution
Published
2024-07-08
Title
Bit Form < 2.13.4 - Authenticated (Administrator+) Arbitrary File Upload
Published
2014-08-01
Title
Ajax Multi Upload 1.1 - Shell Upload